LDAP SSL not working on z/VM 7.3

[viccross]

Tried to log on to OCP console hosted on our 7.3, and it failed. Looking at the LDAPSRV console I see:

GLD1116E Unable to initialize an SSL connection with 172.24.26.3: 440 - Incorrect key usage.

The same Ansible openssl_csr code is used to generate key/CSR/cert.

There seems to be an update to the SSL support in z/VM 7.3. On 7.2, gskkyman does not report any keyUsage fields, but on 7.3 it does. According to this support page, the certificate needs "keyEncipherment" enabled in keyUsage.

[viccross]

Updated cert generation code added the key usage and extended key usage fields from an example -- so it is not a change in SSL support, it's simply that a new version of the certificate was made which is actually broken.

An updated certificate is in testing (on Vic's Feb 13 demo rig); the process that made the incorrect certificate has had the additional "keyEncipherment" field added.

[viccross]

I have built a script based on expect and s3270. The script does the following:

• remove any existing GSKit database in /etc/ldap/
• saves the password stash file
• creates a new database in non-FIPS mode
• imports the certificate and key from the PKCS#12 file
• sets the key as default
• changes permissions on the key database files so that LDAPSRV can read them

I feel like it is very fragile however, since it is proving very difficult to reliably script against CMS over TN3270. Paul suggested GSKit on Linux, which I had looked for in the past but not been able to find. I just found it, however. There may be command-line options and/or alternative commands available in the GSKit package for Linux compared to CMS, which would make the process less fragile and more maintainable.